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Title of the Invention 

One-time Logon Method for Distributed Computing Systems 

Background of the Invention 

The present invention relates to a login authentication 
technique that allows a user who is using a business system to 
use a commercial service system safely and enables multiple users 
who are using the business system to share an account of the 
commercial service system. 

At present, a user frequently uses various commercial 
services via an intranet business system and the Internet at 
m the same time. The intranet business system performs login 

in ■ 

H» authentication to enable processing in accordance with the user ' s 

p official authority. However, if a service via the Internet is 

= y 

fU 15 charged, the login authentication is required for utilization 
Q of the service. The following requirements are provided for 

m 

utilization of these multiple systems. 

(1) When a user uses a commercial service system from 
inside an enterprise , the user needs not to be aware of the system 

20 or service that the user is using. That is, the login 

authentication of the commercial service system needs not to 
be performed explicitly. 

(2) Because in-house users who can use a commercial 
service system must be limited in accordance with their official 

25 . authority, security concerning information (accounting) about 
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login authentication needs also to be considered- That is , even 
if a password is leaked to another user, the password is rejected 
by the login authentication. 

(3) Because a business system that is already operating 
5 and a commercial service may be linked, a load on the business 

system is minimized. 

(4) Because it is mostly unrealistic from the standpoint 
of accounting that accounts for in-house users who use a 
commercial service are secured , multiple in-house users can share 

010 an account. 

ij ■ To satisfy the requirement (1), a method for transferring 

Iff a special key generated in accordance with a protocol arranged 

m - 

between a business system and a service system to a client 
0 (terminal) is considered so that the commercial service can 

u ~ 15 directly be used from the client. In this case, to satisfy the 

g 

requirement (2) , a fixed user ID and a password in the normal 
login authentication cannot be used as the key. To realize the 
above login authentication function, utilization of what is 
called a one-time password is considered. The prototype of the 
20 one-time password is a Lamport' s Hash algorithm, and is described 
in "Password Authentication with Insecure Communication' by 
Leslie Lamport of "Communications of the ACM, Volume 24, Issue 
11 (November 1981)", pages 770 to 772. 
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Summary of the Invention 



In a Lamport's hash algorithm, a password that will be 
used next is determined by inquiring an numerical value n that 
indicates how far the password was consumed and the service system 
side ought to store this n and only the corresponding hash value. 
However, there are the following two problems to apply this 
one-time password to the business system and the commercial 
service system. 

The first problem is that because communication is 
performed between the business system and the service system 
in accordance with the Lamport's hash algorithm, the 
communication needs to be performed multiple times between the 
business system and the service system, thereby increasing the 
load of the business system. 

The second problem is that only one hash value is stored 
at the service side and one account cannot be used by multiple 
persons at the same time. 

An object of the present invention is to provide a login 
authentication method for reducing traffic and enabling 
concurrent utilization of one account by the multiple persons 
and its implementation system. 

According to the method described in a first aspect of 
the present invention, because the communication that inquires 
how far a password has been used at present needs not to be 
performed, the traffic can be reduced. Further, according to 
the method described in claim 2 or 3 , all passwords have previously 



been sent to the commercial service system, multiple persons 
can perform login processing at the same time. 

Brief Description of the Drawing 

Fig. 1 is a general drawing of a processing method according 
to one example of the present invention. 

Fig . 2 is a block diagram of the password list of the present 
invention. 

Fig. 3 is a general drawing of the processing method in 
the accounting information of the present invention. 

Description of the Preferred Embodiments 

One embodiment of the present invention is described below. 

Fig. 1 shows a general drawing of a processing method 
according to one example of the present invention. In an 
enterprise , there are a business system 1 and a client 3 (terminal 
or computer) that a user uses. The user logs in the business 
system 1. Further, the user also uses a service system that 
exists in an external commercial service site. A commercial 
service system has accounting information 41 every user to manage 
the user. The case where multiple users share and use this 
accounting information 41 is considered. 

Prior to login authentication, a password list 40 is 
generated in a business system. There are N passwords in this 
password list 40. Here, an individual password is assumed to 



be generated from a random number. This password list 40 is 
sent 500 to a service system 2 and stored in the password of 
the accounting information 41. Further, each password stores 
a pair of flags that indicate whether this password is already 
used or unused. The initial value of this flag is unused. When 
the user uses a commercial service, the user sends 501 a request 
for use of the commercial service system 2 from the client 3 
that the user is using to the business system 1. 

The business system 1 that received the request for use 
checks 502 a commercial service use authority of the user. If 
the use authority is provided, any password 401 is selected 503 
from the password list 40 and returned 504 to a client. 

To prevent that the selected password is allocated to a 
clients again, the selected password is eliminated from the 
password list or the line for the selected password is made blank . 

The client 3 sends 505 the returned password to the 
commercial service system 2. The commercial service system 2 
makes a comparison 506 with a password within the accounting 
information 41, and permits login if a matching password (411 
in this case) is provided. Further, the commercial service 
system 2 changes a flag paired with the used password to the 
used flag in order to nullify 507 the used password. 

In a series of processing described above, login 
authentication processing can be performed by multiple users 
to one account at the same time by always allocating a different 
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password to each user. 

The one embodiment was described above, but as a 
modification example of this example, an example when one-time 
password algorithm is modified and applied to a processingmethod 
5 of the present invention is described below. 

A second example in which the password list 40 in a first 
example was replaced is described using the password list of 
Fig. 2. At this point, an individual password is generated by 
sequentially applying a hash function to an optional initial 
5 10 value r. Here, Hash[n] (r) 402 indicates the result in which 

0 the hash function is applied to r n times (402) . 

U 

1J1 Prior to login authentication, a business system sends 

m 

H 500 the total applicable number of times N of the hash function 

0 and only Hash[N] (r) to the service system 2. 

W 15 A third example in which the accounting information 41 

-a ■ 

jjjj in the first example was replaced is described using the 

accounting information of Fig. 3. Here, each password stores 
the applicable number of times of the hash function and a pair 
of flags that indicate whether this password is already used 

20 or unused (412). In the initial state, the accounting 

information stores Hash [N] (r) , N, and only unused pair of flags . 

When a request for use of a commercial service is received 
f roma user , the password selection processing 503 of the business 
system 1 allocates a password sequentially from the password 

25 of which the applicable number of times n is high. 



The return processing 504 to a client also returns the 
password 402 and the applicable number of times n. The comparison 
processing 506 in the commercial service system 2 compares the 
result (Hash[N-n] (password) in which a hash function was applied 
5 to the password Hash[n] (r) sent from the client only for the 
part in which the applicable number of times n was subtracted, 
from the total number of applicable times N and a numerical value 
of Hash[N] (r) , and permits login if they match. 

An example for reducing computational complexity of a hash 

Q10 function in the commercial service system 2 is shown. Because 

Q 

flj the comparison processing 506 in the commercial service system 

Hi 2 performs computation to which the hash function is applied 

multiple times, each intermediate result is added to the 
accounting information 41. Here, when the computation is 
pj 15 performed until the applicable number of times is set to m, the 
Jy computation of the hash function results in Hash [m-n] (password) 

and the result is compared with Hash [m] (r) . On this occasion, 
the intermediate result from the applicable number of times n 
to m is stored. Subsequently, in the compare processing of the 
20 password of which the applicable number of times is higher than 
n and lower than m, the hash function is not computed. 

A user can use a business system and a commercial service 
system without needing to be aware of the system or service 
that the user is using. 
25 A business limit indicating that "Only a specific user 



can use a commercial service" can be satisfied safely. 

The traffic between the business system and the commercial 
service system can be reduced. 

Further, one account of the commercial service system can 
be shared by multiple persons. 

As a result, the traffic is reduced and the concurrent 
utilization of the one account by themultiple persons is enabled. 



